Main menu

Tag Archives: FOI Request

Breach details

What

Spreadsheets containing sensitive personal data in a ‘hidden’ workbook were uploaded on three occasions to the WhatDoTheyKnow.com FOIA website in response to an FOIA request. The data included details on housing applicants’ sexuality, ethnicity, domestic violence and criminal offending.

How much

2,375 records.

When

26 June 2012

Why

Spreadsheets prepared by one department providing a response to an FOIA request used pivot tables to provide the summary information requested, however the published spreadsheets also contained the raw source data in hidden worksheets within the same spreadsheet. The request originated via the WhatDoTheyKnow website which automatically publishes all FOIA responses to the web, making them publicly available .

Regulatory action

Regulator

ICO

Action

Monetary Penalty notice of £70,000

When

20 August 2013

Why the regulator acted

Breach of act

Breach of the Seventh Data Protection Principle: the Council did not have processes in place to ensure that personal information was not published in response to an FOIA request and failed to provide adequate training for the staff dealing with FOIA responses (such as how to check for hidden data within Excel).

Known or should have known

The Council should have known that in the absence of a robust checking policy, personal data may be exposed in response to an FOIA request.

Likely to cause damage or distress

The disclosure of sensitive personal information of the data subjects would cause them substantial distress, particularly as it is known that the information had been downloaded by unknown third parties seven times. The Council is facing separate legal action from a number of the data subjects. The Commissioner also noted that there is a risk that the information could be further disseminated and misused, potentially leading to identity fraud and possible financial loss.

BW Observations

If the ICO considered an MPN appropriate, then a penalty of £70,000 for the repeated release of 2,375 items of sensitive personal data to a public website seems good value for the Data Controller. However the basis for the ICO’s assertion that the Council ‘knew or should have known’ appears to be weak.

Why
After a Freedom of information request, the Crown Prosecution Service mistakenly released the names of 299 people arrested during protests over tuition fees in 2010 and 2011.

The FOI request by a member of the public was to provide figures for costs and resources used in the Metropolitan Police’s Operation Malone (the investigations following a series of demonstrations by students against tuition fees in 2010 and 2011). In response they received a spreadsheet detailing not only Operation Malone but also other disturbances, and containing the names and other sensitive data of 299 people, 44 of whom were under 18, and 116 of whom were not charged.

Regulator

None to date.

Regulatory action
None to date, however a spokesperson for the Information Commissioner told The Huffington Post UK that they were looking into the case.

Why
Personal data, relating to drug offences by 600 arrested individuals, was accidently included in a spreadsheet given to a journalist following a Freedom of Information request.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all responses to FOI requests are double checked, preferably by a manager, to ensure that no personal data is included. Written procedures should be implemented and staff must be training in following that policy.

Reason for action
The Commissioner felt that the likelihood of identification was reduced as the offender’s names were not included in the attachment. Formal assurances were received that the email and spreadsheet were promptly deleted. All staff members have since been provided with comprehensive training relating to FOI requests.